Headline
GHSA-9hcv-j9pv-qmph: TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.
Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added.
Fix
To avoid this vulnerability:
- Upgrade to TinyMCE 7.2.0 or higher.
- Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
- Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).
References
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
- Open an issue in the TinyMCE repo
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-9hcv-j9pv-qmph
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
Moderate severity GitHub Reviewed Published Jun 19, 2024 in tinymce/tinymce • Updated Jun 19, 2024
Package
nuget TinyMCE (NuGet)
Affected versions
< 5.11.0
>= 6.0.0, < 6.8.4
>= 7.0.0, < 7.2.0
Patched versions
5.11.0
6.8.4
7.2.0
< 5.11.0
>= 6.0.0, < 6.8.4
>= 7.0.0, < 7.2.0
< 5.11.0
>= 6.0.0, < 6.8.4
>= 7.0.0, < 7.2.0
Published to the GitHub Advisory Database
Jun 19, 2024
Last updated
Jun 19, 2024